Toggle sidebar

Hacking Question regarding DS profile exploit

  • Thread starter Thread starter Chaldron
  • Start date Start date
  • Views Views 16,630
  • Replies Replies 75
Chaldron

Chaldron

GBATemp's Official Attorney
Member
Level 4
Joined
Mar 29, 2013
Messages
434
Reaction score
240
Trophies
0
Location
`Murica
XP
459
Country
United States
I heard that the DS profile exploit is still available in 6.x - it just doesn't grant kernel access. Is this true? Just wondering.

Thanks!
 
According to smealum's blog, the ds profile exploit was never fixed as of 6.3. It's not much use without the kernel exploit, which was patched.

Edit:
It’s interesting that such a vulnerability even exists in mset; apparently, such an approach had been attempted on the DSi and it was not vulnerable to it. Additionally, the crash had been documented on 3Dbrew for a while, and yet somehow the vulnerability is still open to this day (on 6.3. Of course, user mode stack smashes can be achieved through other vectors...)
Click to expand...
 
Are you saying that it has been blocked? If not, I don't understand what we're disagreeing about. The ds profile exploit will still come in handy if another 2nd-stage exploit is ever found in 6.3.
 
It is partially blocked, making it no longer 100% of the time exploitable.

In real world terms for non-technical, a partial block is the same as a fully blocked exploit, because if a hacker is not attempting to make it a reliable exploit again it is effectively dead.
 
Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).
 
  • Like
Reactions: Schizoanalysis, juins, cearp and 1 other person
yifan_lu said:
Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).
Click to expand...

There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.

Your confusing the "exploit still exists" for "exploit still works", these are 2 different things.
 
the exploit still works. you can use it with a ROP chain as yifanlu says. it still exists and works. you're confusing working/existing and usable for morons. the latter is not exactly what a hacking section should be focused on
 
  • Like
Reactions: tHciNc
OP knows that there is no usable exploit for 5.0+ systems. The question is whether the ds profile exploit can still be used in case a new kernel exploit is discovered in 6.3. I'll believe that the answer to that question is "yes" unless you have some source saying otherwise.
 
megazig said:
the exploit still works. you can use it with a ROP chain as yifanlu says. it still exists and works. you're confusing working/existing and usable for morons. the latter is not exactly what a hacking section should be focused on
Click to expand...

Drenn said:
OP knows that there is no usable exploit for 5.0+ systems. The question is whether the ds profile exploit can still be used in case a new kernel exploit is discovered in 6.3. I'll believe that the answer to that question is "yes" unless you have some source saying otherwise.
Click to expand...

I see you two are going to make me wait for 6.4 or higher to come out to vindicate who knows what to be correct. Incidentally that would also give an absolute answer to the op's question on that matter.
 
yifan_lu said:
Yes, the DS profile exploit still works on 6.3. In theory, it could allow for homebrew on 6.3 provided that homebrews are compiled into ROP lists. Also, if another kernel exploit is found, it'll allow 6.3 to run your pirated games (versus if Nintendo patches the DS profile exploit in 6.4+, then even a new kernel exploit would be useless until another Usermode exploit is found. You need both to run unsigned code).
Click to expand...

Thank you for your useful explanations:)

Yifan Lu is a genius in the hacking scene. He would deserve more respect and gratitude.
 
  • Like
Reactions: megazig and cearp
how_do_i_do_that said:
There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.

Your confusing the "exploit still exists" for "exploit still works", these are 2 different things.
Click to expand...

Maybe you should look up who you are arguing with.
 
  • Like
Reactions: megazig and cearp
how_do_i_do_that said:
There is no need to theorycraft this exploit as still usable or not when there is a real world example of this exploit in the form of the gateway flashcart and clones, it is the same exploit used by Smea to run his version of emuNAND. These all have the same limitations of the exploit, it is effectively dead on a 3DS firmware of 5.0 or higher a this time.
Click to expand...
You're confusing matters. The "exploit" to which you're referring, used by smea and Gateway, is actually made to exploit more than one vulnerability. Exploiting the first vulnerability gets you access to the user mode, where a second-stage vulnerability is exploited to allow "kernel mode" access. The latter is required for all the patches to the system that smea's "CFW" and Gateway's "Gateway mode" make. The former (user mode) vulnerability still exists in the latest firmware and it is entirely usable. That's all the OP wanted to know.

tl;dr the vulnerability in question isn't "effectively dead". More like it's dormant until it becomes useful again.
 
  • Like
Reactions: Snailface and cearp
just fyi : i haven't actually tried exploiting the ds profile vuln on 6.3 or looked into it at all. all i know is the crash still happens, but it's entirely possible that it happens differently and isn't exploitable afaik. i should have reflected that in my article, sorry about that.
nevertheless, McHaggis has the right idea.
 
  • Like
Reactions: Schizoanalysis, DSoryu and cearp
Okay, thanks for all the replies! I understand it better now.

So if a kernel exploit is found, it might be possible to use the DS NVRAM exploit as "gateway" (no pun intended) to get to the kernel access, correct?

Thanks again.
 
The mset haxx vuln exist, even in 6.3, but no ARM9 vuln exist.

Have not tried to do something with mset haxx >4.5, because i don't have useful ROP-gadget's. And yes, mset haxx works a bit different after the 5.X update, but it is not fixed or updated since 5.X.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Why did the price of 3ds shoot up ?

Hacking Homebrew Project  BlazerTube - a YouTube 3DS revival using the REAL app!

Homebrew app Emulator  [Release] 3DS-CLI - Run a real RISC-V Linux environment on the Nintendo 3DS

Gaming  any good rpgs on 3ds?

Hardware  2 Broken 3DSes, need help

Website for finding alternative games for 3DS

Hacking  Modding Reassurance

GodMode9 wont launch, holding START just goes to home screen